Print 🖨

The Senate Committee on Business and Commerce met on  March 30 to hear invited testimony and discuss interim charges as well as an update from the Public Utilities Commission of Texas and the Electric Reliability Council of Texas.
 
Examine cyber-security efforts undertaken by state entities and study the legal, policy, and privacy implications of the trend toward storage of personal, private, and business confidential information in network attached storage, cloud storage, and other developing data storage options rather than on local devices. Make recommendations on how to best protect Texans' financial and personal information.
 
Eddie Block, CISO State of Texas

  • Provides statewide cybersecurity policy and risk assessment
  • We do penetration testing to state agencies (white hat hacking)
  • Non-technical security assessments are also done
  • Also focus on agency and higher education protection of data

 
Dale Richardson, Department of Information Resources

  • DIR is increasingly looking into commercial cloud services under state procurement conditions
  • In 2013, there has been 24 master cloud contracts awarded to vendors totaling $3.4 million
  • Utilization has increased year over year as institutions become more comfortable using cloud services
  • A little less than half of 42 institutions using commercial cloud services are state agencies
  • There are 2 major public cloud providers with limited offerings to protect integrity of state’s data, but services will be added
  • Community and hybrid clouds will be best approach for state usage going forward
  • Sen. Hancock asks about funding of Data Center Services
    • IT infrastructure is included in agency LAR
  • Sen. Hancock asks how often system computers are replaced
    • Every 5 years

 
Ram Krishnan, University of Texas San Antonio

  • ID resources are acquired in two ways
    • On premise
    • Cloud resources
  • Concerns that need to be kept in mind when moving to cloud resources
    • Shared resource
    • Cloud provider must be trusted
    • Data at rest has to be encrypted at all times, and keys must be encrypted separately
      • As consumer you should bring your own keys and not keep them in the cloud
    • It is easy to put data in the cloud, but sometimes to take it out if you want to migrate to a different service provider
  • Deployment options of cloud services
    • 100% on premise
    • 100% off premise
    • Hybrid solution
  • Risk profiles vary greatly between the three deployment options
  • Best mix is the hybrid cloud because it mitigates risk

 
Jesse Rivera, CIO, Comptroller of Public Accounts

  • Cybersecurity efforts at Comptroller’s office
    • Comptroller Hegar sets the tone for cybersecurity at the top
    • Information security is a separate division from IT
    • Employees are held to standards on security and privacy
    • Developed security roadmap based on type of data that the agency protects
    • Block transmission of any information with social security numbers or other private information
    • Managed Security Services is a contract to manage network within the agency
    • Biometrics used for very sensitive information at the agency (fingerprints)
    • Phishing campaign that grades employees to check for human error
  • In order to ensure protection of confidential information, all information on Storage Area Network (SAN) is encrypted
  • Always working on new security projects to protect information
  • Sen. Seliger asks what has been done since the “breach” at the Comptroller’s Office in 2011
    • Require rigor and structure necessary to protect information
    • 2011 breach was human error
    • Focus on employees using “good hygiene” at home as well as at the office

 
Monitor the implementation of legislation addressed by the Senate Committee on Business and Commerce during the 84th Legislature, Regular Session and make recommendations for any legislation needed to improve, enhance, and/or complete implementation.
Specifically, monitor the following:

  • State agency participation in the federal electronic verification of employment authorization program;
  • The current consent policy for state disclosure of personal data.

 
Susana Holt, Texas Workforce Commission

  • In 2014, Perry issued executive order to verify eligibility of current and future state employees through e-verify
  • SB 374, Schwertner (84R) was designed to keep taxpayer dollars from going to workers who aren’t authorized by using the E-Verify system
  • Incorporation of e-verify was seamless for TWC
  • Technical support is provided by TWC upon request from agencies
  • Sen. Schwertner asks if there is any concern that state agencies are not complying with e-verify
    • State agencies adopted quickly
  • Sen. Schwertner asks if agencies have to report compliance back to TWC
    • Agencies do not report back to TWC that they are compliant
  • Sen. Hancock asks what type of oversight there is on implementation or if we need to come back and address oversight
    • TWC does not have oversight authority
    • The committee has more purview of oversight
  • Sen. Hancock asks what percentage Holt would guess are actually compliant
    • Can only speak to large and medium sized agencies, and to the best of her knowledge they are compliant
    • Does not have information on actual utilization rate, but the process is easy
  • Sen. Schwertner asks if there are any problems of requiring state contractors to use e-verify; would there be any roadblocks relative to what our agencies do?
    • It would be as easy for public entities as it has been for state agencies

 
David Talbot, Office of the Attorney General was scheduled to testify, but was unable to appear
 
Receive updates from the Public Utility Commission of Texas and the Electric Reliability Council of Texas.
 
Donna Nelson, Public Utility Commission of Texas

  • PUC handles water, telecommunications, and electric utilities
  • Oversees wholesale electric utilities market within Texas
  • Most telecommunications companies have been deregulated started in 1995
  • Universal service fund that provides telecommunications service to rural areas
  • Sen. Huffines says he is concerned about integrity interstate electric grid
    • We have connections into Southwest Power Pool
    • We do, however, have assurance from Federal Energy Regulatory Commission (FERC) that we will not be subjected to federal jurisdiction
    • This started in 1976 so the risk that this would change is very small

 
Bill Magness, ERCOT

  • Non-profit organization established by legislature in 1999
  • There are links between ERCOT grid and Mexico and the rest of the country, but there is no jurisdiction question because we have ability to open and close DC ties to Southwest Power Pool
  • ERCOT covers about 90% of demand in Texas
  • We had highest peak of usage this last summer since 2011 – this is due in part to economic growth
  • Generation sources for ERCOT have changed since 1999 – we have more efficient natural gas units; renewables portion of power generated has grown and will continue to do so
  • Try to communicate well with regulators, public, and market

 
Hearing Adjourned